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CLAIMS 

1. Method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q l9 Q 2 , ... Q m and public values Gi, G 2? 
... G m , m being greater than or equal to 1 | , or of the parameters derived from these 
values, 

- a public modulus n constituted by the product of f prime factors p l5 p 2 , ... 
p f , f being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gj . Qv = 1 . mod n or Gi = Q; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G; being the square gj 2 of a base number g s smaller than the f 
prime factors p 1? p 2 , ... Pf ; the base number g; being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 - g; mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g^ mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f 
prime factors p; and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Q s and/or the f. m 
components Q i, j (Q i, j = Qi mod pj) of the private values Qjand of the public 
exponent v; 




- the witness computes commitments R in the ring of the integers modulo n; 
each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*i v mod Pi 

where rj is a random value associated with the prime number pj such that 0 < r; < p i5 
each i"i belonging to a collection of random values {r 1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising 
m integers d s hereinafter called elementary challenges; the witness, on the basis of 
each challenge d, computes a response D, 

• either by performing operations of the type: 

D = r . Qj dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di ^ r s . Q M dl . Q i2 d2 . ... Q Um dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

2. Method according to claim 1, designed to prove the authenticity of an 
entity known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; 

said demonstrator and controller entities executing the following steps: 

• Step 1: act of commitment R 

at each call, the witness computes each commitment R by applying the 
process specified in claim 1 , 
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the demonstrator sends the controller all or part of each commitment R, 

• Step 2: act of challenge d 

- the controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

• Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified in claim 1 , 

• Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

case where the demonstrator has transmitted a part of each commitment R 
if the demonstrator has transmitted a part of each commitment R, the controller, 
having the m public values Gj, G 2 , G^, computes a reconstructed commitment 
R\ from each challenge d and each response D, this reconstructed commitment R' 
satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm • D v mod n 
or a relationship of the type 

R' es DV/d dl . G 2 d2 . ... G m dm . mod n 
the controller ascertains that each reconstructed commitment R f reproduces all or 
part of each commitment R that has been transmitted to it. 

case where the demonstrator has transmitted the totality of each commitment R 

if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values Gj, G 2 , G m , ascertains that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R = DV/Gx dl . G 2 d2 . ... G m dm . mod n 
3. Method according to claim 1, designed to provide proof to an entity, 
known as the controller entity, of the integrity of a message M associated with an 
entity called a demonstrator entity, said demonstrator entity comprising the witness; 



said demonstrator and controller entities executing the following steps: 
• Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1 , 

5 • Step 2: act of challenge d 

- the demonstrator applies a hashing function h whose arguments are the message M 
and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
10 number to the number of commitments R and sends the challenges d to the 

demonstrator, 

•Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1 , 

15 • Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

- the controller, having the m public values Gj, G 25 .» 5 G m , computes a 
reconstructed commitment R\ from each challenge d and each response D, this 
reconstructed commitment R* satisfying a relationship of the type 

20 R f = Gi dl • G 2 62 . ... G m dm . D v mod n 

or a relationship of the type 

R f = D v /Gi dl . G 2 d2 . ... G m dm . mod n 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R' to reconstruct the token T f , 

25 - then the controller ascertains that the token T' is identical to the token T 
transmitted. 

4. Method according to claim 1, designed to produce the digital signature of 
a message M by an entity known as the signing entity, said signing entity comprising 
the witness; 
30 Signing operation 
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said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

• Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

• Step 2: act of challenge d 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train, the signing party extracts challenges d whose number is 
equal to the number of commitments R, 

• Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1 . 

5. Method according to claim 4, designed to prove the authenticity of the 
message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

• case where the controller has commitments R, challenges d, responses D 

if the controller has commitments R, challenges d, responses D, 

• • the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R ^ G! dl . G 2 d2 . ... G m dm . Dv mod n 
or relationships of the type 

R s D v /Gj dl . G 2 d2 . ... G m dm . mod n 
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• • the controller ascertains that the message M, the challenges d and the 
commitments R satisfy the hashing function: 

d = h (message, R) 

• case where the controller has challenges d and responses D 
if the controller has challenges d and responses D, 

• • the controller reconstructs, on the basis of each challenge d and each 
response D, commitments R' satisfying relationships of the type 

R> = Gi dl . G 2 d2 . ... G m dm . Dv mod n 
or relationships of the type: 

R' = D v /Gi dl . G 2 d2 - ... G m dm . mod n 

• • the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 

• case where the controller has commitments R and responses D 
if the controller has commitments R and responses D, 

• • the controller applies the hashing function and reconstructs d' 

d f = h (message, R) 

• * the controller device ascertains that the commitments R, the challenges d' 
and the responses D satisfy relationships of the type 

R = Gi d '! . G 2 d ' 2 . ... G m d ' m . Dv mod n 
or relationships of the type: 

R ^ DV/Gx d '! . G 2 d ' 2 . ... G m d ' m . mod n 

6. A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
by means of: 

- m pairs of private values Q t , Q 2 , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors pj, p 2 , 
... Pf, f being greater than or equal to 2, 
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said modulus and said values being linked by relations of the type 

Gj . Qj v = 1 . mod n or Gj = Qj V mod n . 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G s being the square g ; 2 of the base number & smaller than the 
f prime factors p l5 p 2 , ... p f , the base number g; being such that the following 
conditions are met: 

neither of the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card, 
the witness device comprises 

- a memory zone containing the f prime factors p; and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q; and/or f.m components Q u (Q u = Q; mod pj) of the private values 
Qi and of the public exponent v; 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation mean?, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 

where r is a random value produced by the random value production means, r being 
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such that 0 < r < n, 

• or by performing operations of the type: 

Rj = rj V mod pi 

where r s is a random value associated with the prime number p t such that 0 < r s < p { , 
each r; belonging to a collection of random values {1*! , r 2 , r f }, then by applying 
the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d { hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

• either by performing operations of the type: 

D s r . Qj dl . Q 2 d2 . ... Q m dm mod n 

• or by performing operations of the type: 

Di = r { . Q u dl . Q i>2 d2 . ... Q ijm dm mod Pi 
and then by applying the Chinese remainder method. 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 

7. A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 
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- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d equal in number to 
the number of commitments R, 

the controller device also has transmission means, hereinafter known as the 
transmission means of the controller, to transmit the challenges d to the demonstrator 
through the connection means. 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each 
challenge d coming from che demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 
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the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , G m , compute a reconstructed commitment R f , from each 
challenge d and each response D, this reconstructed commitment R' satisfying a 
relationship of the type 

R f = Gj dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' ee Dv/d dl . G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed 
commitment R f with all or pare of each commitment R received, 
case where the demonstrator has transmitted the totality of each commitment 
R 

if the transmission means of the demonstrator have transmitted the totality of each 
commitment R, the computation means and the comparison means of the controller 
device, having m public values Gi, G 2 , G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = G! dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R = D v /Gx dl . g 2 d2 . ... Gm dm . mod n 
8. System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 
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said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified in claim 1 
the witness device has transmission means, hereinafter called transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator 
device through the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device aire has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for the production, after 
having received the token T, of the challenges d in a number equal to the number of 
commitments R, 
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the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Step 3: act of response D 

the means of reception of che challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gj, G 2 , G m , 
to firstly compute a reconstructed commitment R', from each challenge d and each 
response D, this reconstructed commitment R f satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' ee DV/Gx dl . G 2 d2 . ... G m dm . mod n 
then, secondly, compute a token T f by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 
the controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token T' with 
the received token T. 

9. System according to claim 6, designed to produce the digital signature of a 
message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 
- the message M, 
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- the challenges d and/or the commitments R, 

- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits 
in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said system enabling the execution of the following steps: 

•Stepl: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1 , 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device 
through the interconnection means. 
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10. System according to claim 9, designed to prove the authenticity of the 
message M by checking the signed message by means of an entity called the 
controller; 

Checking operation 

5 the system being such that it comprises a controller device associated with the 
controller entity, said controller device especially taking the form of a terminal or 
remote server, said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device; 
10 the signing device associated with the signing entity comprises transmission means, 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

15 - the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

20 - comparison means, hereinafter called the comparison means of the 

controller device. 

• case where the controller device has commitments R, challenges d, responses D 

if the controller has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain 
25 that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

R = Gi dl . G 2 d2 . ... G m dm . D v mod n 

or relationships of the type: 

R = D v /Gx dl . G 2 d2 . ... G m dm . mod n 
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• • the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 
function: 

d = h (message, R) 

• case where the controller device has challenges d and responses D 

if the controller device has challenges d and responses D, 

• • the computation means of the controller, on the basis of each challenge d 
and each response D, compute commitments R' satisfying relationships of the type 

R' = Gi dl . G 2 d2 . ... G m dm m D v mod n 
or relationships of the type: 

R' = D v /Gi dl . G 2 32 . ... G m dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 

• case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function 
and compute d' such that 

d f = h (message, R) 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

R = Gi d '! . G 2 d ' 2 . ... G m d ' m . D v mod n 

or relationships of the type: 

R = DV/Gx d '! . G 2 d ' 2 . ... G m d ' m . mod n 

1 1. A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card, designed to prove to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity; 
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by means of : 

- m pairs of private values Q l9 Q 2 , ... Q m and public values G u G 2 , ... G m , m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors p l9 p 2 , 
... p f (f being greater than or equal to 2), 

said modulus and said values being related by relations of the type 

Gj . Q; v = 1 . mod n or Gj = Q s v mod n . 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 . 

said public value G ; being the square g 2 of the base number g ; smaller than the f 
prime factors p l5 p 2 , ... Pf, the base number gj being such that: 

neither of the two equations: 

x 2 = g; mod n and x 2 = - gj mod n 
can be resolved in x in the ring of integers modulo n 

the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n. 
said terminal device comprises a witness device comprising, 

- a memory zone containing the f prime factors p s and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q; and/or f.m components Q S) j (Qi, j = Qj mod pj) of the private values 
Qi and of the public exponent v. 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 
integers modulo n; each commitment being computed: 

• either by performing operations of the type: 
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R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r< n, 

• or by performing operations of the type: 

Ri = i*i v mod Pi 

where r s is a random value associated with the prime number p s such that 0 < r; < Pi , 
each r; belonging to a collection of random values {rj , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers dj hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 
challenge d, of a response D, 

• either by performing operations of the type: 

D = r . Qi dl . Q 2 d2 . ... Q m dm mod n 

• or by performing operations of the type: 

Di = ii . Qij dl . Qi, 2 d2 . ... Q i)m dm mod Pi 
and then by applying the Chinese remainder method, 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 

12. A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 



63 



form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device also comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has transmission means, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device, through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 

the means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the 
controller that carries out the check. 
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13. Terminal device according to claim 11, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 
form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1 ; 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 

the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

said controller, after having received the token T, produces challenges d equal in 
number to the number of commitments R, 
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the means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 
the transmission means of the demonstrator send each response D to the controller 
device which performs the check. 

14. Terminal device according to claim 11, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity 
called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking especially the form of logic microcircuits 
in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

Signing operation 

said terminal device being used to execute the following steps: 
• Step 1: act of commitment R 
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at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
signing device through the interconnection means, 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 

15. Controller device especially taking the form of a terminal or remote 
server associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity 
by means of: 

- m pairs of public values G i9 G 2 , ... G m , m being greater than or equal to 1, 

- a public modulus n constituted by the product of said f prime factors p u p 2 , 
... p f , f being greater than or equal to 2, unknown to the controller device and to the 
associated controller entity, 

said modulus and said values being related by relations of the type 
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Gj . Q; v = 1 . mod n or Gj = Qj v mod n . 

where Q t designates a private value, unknown to the controller device, associated 

with the public value G;. 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g 2 of a base number g { smaller than the f prime 
factors pi, p 2 , ... p f3 the base number g { being such that the following conditions are 
met: 

neither of the two equations: 

x 2 = gj mod n and x 2 = - g; mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n. 

16. Controller device according to claim 15, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller; 
said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity; 

sid controller device being used to execute the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 

said controller device also has means for the reception of all or part of the 
commitments R coming from the demonstrator device through the connection means, 
the controller device has challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
the number of commitments R, each challenge d comprising m integers dj 
hereinafter called elementary challenges. 
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the controller device also has transmission means, hereinafter called transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4: act of response D, act of checking 
said controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison mean-j, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the reception means of the demonstrator have received a part of each commitment 
R, the computation means of the controller device, having m public values Gj, G2, 
G m , compute a reconstructed commitment R 1 , from each challenge d and each 
response D, this reconstructed commitment R' satisfying a relationship of the type 

R' a G! dl . g 2 d2 . ... G m dm . DV mod n 
or a relationship of the type 

R' ^ Dv/G! dl . g 2 d2 . ... Gm dm . mod n 
the comparison means of the controller device compare each reconstructed 
commitment R' with all or part of each commitment R received, 



